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ABSTRACT 

Dense, unmanaged 802.11 deployments tempt saboteurs into 
launching jamming attacks by injecting maUcious interfer- 
ence. Nowadays, jammers can be portable devices that trans- 
mit intermittently at low power in order to conserve energy. 
In this paper, we first conduct extensive experiments on an 
indoor 802.11 network to assess the ability of two physical 
layer functions, rate adaptation and power control, in miti- 
gating jamming. In the presence of a jammer we find that: 
(a) the use of popular rate adaptation algorithms can sig- 
nificantly degrade network performance and, (b) appropri- 
ate tuning of the carrier sensing threshold allows a transmit- 
ter to send packets even when being jammed and enables a 
receiver capture the desired signal. Based on our findings, 
we build ARES, an Anti-jamming REinforcement System, 
which tunes the parameters of rate adaptation and power con- 
trol to improve the performance in the presence of jammers. 
ARES ensures that operations under benign conditions are 
unaffected. To demonstrate the effectiveness and generality 
of ARES, we evaluate it in three wireless testbeds: (a) an 
802.1 In WLAN with MIMO nodes, (b) an 802.1 la/g mesh 
network with mobile jammers and (c) an 802.11a WLAN. 
We observe that ARES improves the network throughput across 
all testbeds by up to 150%. 

Categories and Subject Descriptors 

C.2.0 [General]: Security and Protection; C.2.3 [Computer 
Communication Networks]: Network Operations 
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Security 
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1. INTRODUCTION 

The widespread proliferation of 802.11 wireless net- 
works makes them an attractive target for saboteurs 
with jamming devices [Ij. Numerous jamming attacks 
have been reported in the recent past [21 [3l [4]; this 
makes the defense against such attacks very critical. A 



jammer transmits either dummy packets or simply elec- 
tromagnetic energy to hinder legitimate communications 
on the wireless medium. A jamming attack can cause 
the following effects in an 802.11 network: (a) Due to 
carrier sensing, co-channel transmitters detect activity 
on the medium and thus, defer their packet transmis- 
sions for prolonged periods, (b) The jamming signal 
collides with legitimate packets at receivers. As a con- 
sequence, the throughput is significantly reduced be- 
cause of these effects. Frequency hopping techniques 
have been previously proposed for avoiding jammers [5] 
[6]. Such schemes however, are not effective in scenar- 
ios with wide-band jammers [3 |8]. Furthermore, given 
that 802.11 operates on relatively few frequency chan- 
nels, multiple jamming devices operating on different 
channels can significantly hurt performance in spite of 
using frequency hopping [9]. More than that, although 
Frequency Hopping Spread Spectrum was available in 
the initial 802.11 standard, it was not later included in 
the 802.11a/b/g standards that are popular today (TO]. 

In this paper, we ask the question: How can legacy 
802.11 devices alleviate the effects of a jammer that re- 
sides on the same channel as a legitimate communicating 
pair, in real time? We address this challenge by de- 
veloping 

ARE^l, a novel, measurement driven system, 
which detects the presence of jammers and invokes rate 
adaptation and power control strategies to alleviate jam- 
ming effects. Clearly, not much can be done to mitigate 
jammers with unlimited resources in terms of transmis- 
sion power and spectrum efficiency. Note however that 
in a plurality of cases the jamming device can be re- 
source constrained, with capabilities similar to that of 
the legitimate devic^. Portable, battery-operated jam- 
mers are typically configured to transmit intermittently 
and sometimes at low power, in order to conserve energy 
and harm the network for extended periods of time. Ad- 
ditionaly, misconfiguration of "legitimate" devices can 
transform them to a resource-constrained jammer 
In these and similar cases, ARES can effectively fight 
against the malicious entity, as we discuss later. 
Our contributions in this paper are the following: 



^ARES [pron. "aris"] was the god of war in Greek mythology; 
we choose the name as a symbol of the combat with jammers. 
^We implement a jamming utility on a commodity 802.11 
NIC as described in more detail in Section [3l 



1. Understanding the impact of jammers in an 
802.11 network with rate/power control. First, 
we perform an in-depth measurement-based experimen- 
tal study on our indoor testbed, to quantify the impact 
of jamming when employing rate and/or power control. 
To the best of our knowledge, there are no such studies 
to date. With rate control, a transmitter can increase 
or lower its transmission rate depending on the observed 
packet delivery ratio (PDR) at the receiver. With power 
control, nodes may increase their transmission powers 
and/or clear channel assessment (CCA) thresholds [TT] 
in order to increase the probability of successful packet 
reception. The design of ARES is driven by our two key 
experimental observations: 

i) Rate adaptation can be counter-productive: 
In the presence of a jammer that is active intermittently 
(and sleeps in between), the use of rate adaptation is 
not always beneficial. We conduct experiments with 
three popular rate adaptation algorithms: SampleRate 
[T2) . Onoe [13] and AMRR (Adaptive Multi Rate Retry) 
p!4]. With every scheme, we observe that the use of rate 
adaptation may work in favor of the jammer! This is 
because, rate adaptation wastes a large portion of a jam- 
mer's sleeping time in order to gradually converge to the 
"best" rate. We analytically determine when fixed rate 
operations may be preferable to the use of rate adapta- 
tion. 

ii) Tuning the carrier sense threshold is bene- 
ficial: We collect throughput measurements with many 
different transmission powers and CCA thresholds. We 
find that: (a) In the presence of a jammer, legitimate 
transmissions with maximum power could lead to sig- 
nificant benefits, only when operating at low data rates, 
(b) Increasing the CCA threshold can allow a transmit- 
ter that is being jammed to send packets and at the 
same time, facilitate the capture of packets in the pres- 
ence of jamming interference; together, these effects can 
significantly reduce the throughput degradation. 

2. Designing ARES, a novel anti-jamming sys- 
tem. The above observations drive the design of ARES. 
ARES primarily consists of two modules. The rate con- 
trol module decides between fixed-rate assignment and 
rate adaptation, based on channel conditions and the 
jammer characteristics. The primary objective of this 
module is to effectively utilize the periods when a jam- 
mer is asleep. The power control module adjusts the 
CCA threshold to facilitate the transmission and the re- 
ception (capture) of legitimate packets during jamming. 
Care is taken to avoid starvation of nodes due to the cre- 
ation of asymmetric links [llj. This module is used to 
facilitate successful communications while the jammer 
is active. Although rate and power control have been 
proposed as interference alleviation techniques, their be- 
havior has not been studied in jamming environments. 
Our work is the first to conduct such a study, as dis- 
cussed later. 

3. Implementing and experimentally validating 

ARES. We implement and evaluate the modules of ARES 



on real hardware, thereby making ARES one of the few 
anti-jamming system implementations for 802.11 net- 
works. ARES also contains a jammer detection mod- 
ule that incorporates a mechanism proposed previously 
in [15j. To demonstrate the effectiveness and general- 
ity of our system, we apply it on three different exper- 
imental networks: a static 802. lln WLAN with MIMO 
enabled nodes, an 802.11a/g mesh network with mo- 
bile jammers, and a static 802.11a WLAN with uplink 
TCP traffic. Our measurements demonstrate that ARES 
provides performance benefits in all the three networks; 
throughput improvements of up to 150% are observed. 

The remainder of the paper is structured as follows. 
In section [21 we provide some background on jamming 
and discuss related studies. In section [3l we describe our 
wireless testbed and the experimental methodology. We 
describe our extensive experiments to understand the 
impact of rate and power control in the presence of a 
jammer in section IH In section O we construct ARES 
based on our observations. We present our evaluations 
of ARES in section [6l Section [71 discusses the scope of 
our study. We conclude in section [51 

2. BACKGROUND AND RELATED WORK 

In this section, first we briefly describe the operations 
of a jammer and its attack capabilities. Next, we discuss 
relevant previous studies. 

Types of Jamming Attacks. Jammers can be dis- 
tinguished in terms of their attack strategy; a detailed 
discussion can be found in [15j. 

Non-stop jamming: Constant idLmmeis continuously 
emit electromagnetic energy on a channel. Nowadays, 
constant jammers are commercially available and easy 
to obtain [l] [7]. While constant jammers emit non- 
decipherable messages, deceptive idLmmeis transmit seem- 
ingly legitimate back-to-back dummy data packets. Hence, 
they can mislead other nodes and monitoring systems 
into believing that legitimate traflic is being sent. 

Intermittent Jamming: As the name suggests, these 
jammers are active intermittently; the primary goal is to 
conserve battery life. A random jammer typically alter- 
nates between uniformly-distributed jamming and sleep- 
ing periods; it jams for Tj seconds and then it sleeps for 
Tg seconds. A reactive jammer starts emitting energy 
only if it detects traflic on the medium. This makes 
the jammer diflicult to detect. However, implementing 
reactive jammers can be a challenge. 

For the purposes of this work, we primarily consider 
the random jammer model. Attackers are motivated into 
using a random jammer because putting the jammer to 
sleep intermittently can increase its lifetime and decrease 
the probability of detection [15j. Furthermore, it is the 
most generalized representation of a jammer; appropri- 
ately choosing the sleep times could turn the jammer 
into a constant jammer or (with high probability) a reac- 
tive jammer. Moreover, reactive jammers are not easily 
available since they are harder to implement and require 
special expertise on the part of the attacker. We discuss 



the applicability of ARES with constant and reactive 
jammers, in section [3 

Related work. Most previous studies employ fre- 
quency hopping to avoid jammers. Frequency hopping, 
however, cannot alleviate the influence of a wide-band 
jammer |7ll3: which can effectively jam all the available 
channels. In addition, recent studies have shown that 
a few cleverly-coordinated, narrow-band jammers can 
practically block the whole spectrum [9j. Thus, ARES 
does not rely on frequency hopping. 

Studies based on frequency hopping: Navda et 
al [5\ implement a proactive frequency hopping proto- 
col with pseudo-random channel switching. They com- 
pute the optimal frequency hopping parameters, assum- 
ing that the jammer is aware of the procedure followed. 
Xu et al. [6J propose two anti-jamming techniques: reac- 
tive channel surfing and spatial retreats. However, their 
work is on sensor networks which only support very low 
data rates and transmission powers. Gummadi et al. 
[16] find that 802.11 devices are vulnerable to specific 
patterns of narrow-band interference related to time re- 
covery, dynamic range selection and PLCP-header pro- 
cessing. They show that due to these limitations, an in- 
telligent jammer with a 1000 times weaker signal (than 
that of the legitimate transceiver) can still corrupt the 
reception of packets. In order to alleviate these effects, 
they propose a rapid frequency hopping strategy. 

Other relevant work: Xu et al. [15j develop ef- 
ficient mechanisms for jammer detection at the PHY 
layer (for all the 4 types of jammers). However, they 
do not propose any jamming mitigation mechanisms. In 
[17], the same authors suggest that competition strate- 
gies, where transceivers adjust their transmission powers 
and/or error correction codes, might alleviate jamming 
effects. However, they neither propose an anti-jamming 
protocol nor perform evaluations to validate their sug- 
gestions. Lin and Noubir [18] present an analytical eval- 
uation of the use of cryptographic interleavers with dif- 
ferent coding schemes to improve the robustness of wire- 
less LANs. In [19], the authors show that in the absence 
of error-correction codes (as with 802.11) the jammer can 
conserve battery power by destroying only a portion of a 
legitimate packet. Noubir [20j also proposes the use of a 
combination of directional antennae and node-mobility 
in order to alleviate jammers. ARES can easily be used 
in conjunction with directional antennae or with error 
correction codes. 

Prior work on rate and power control: Rate and 
power control techniques have been proposed in the lit- 
erature, as means of mitigating interference (e.g. [211 
\T2\ [TTJ [22] and the references therein). However, they 
do not account for a hostile jamming environment; with 
these schemes, nodes cooperate in order to mitigate the 
impact of "legitimate" interference, thereby improving 
the performance. On the other hand, ARES is special- 
ized towards handling malicious interference of jammers, 
which attempt to disrupt ongoing communications. 




Figure 1: The deployment of our wireless 
testbed. 

3. EXPERIMENTAL SETUP 

In this section, we describe our wireless testbed and 
the experimental methodology that we follow. 

Testbed Description: Our wireless testbed [23] is 
deployed in the third floor of Engineering Building II, 
at the University of California, Riverside. Our testbed 
consists of 37 Soekris net4826 nodes [24], which mount 
a Debian Linux distribution with kernel v2.6, over NFS. 
The node layout is depicted in Figure [TJ Thirty of these 
nodes are each equipped with two miniPCI 802.11a/g 
WiFi cards, an EMP-8602 6G with Atheros chipset and 
an Intel- 29 15. The other 7 nodes are equipped with 
one EMP-8602 6G and one RT2860 card that supports 
MIMO-based (802.1 In) communications. We use the 
MadWifi driver [25j for the EMP-8602 6G cards. We 
have modified the Linux client driver [26j of the RT2860 
to enable STBC (Space Time Block Coding) support. 
We use a proprietary version of the ipw2200 AP (access 
point) and client driver /firmware of the Intel- 29 15 card. 
With this version we are able to tune the CCA threshold 
parameter. 

Experimental Settings and Methodology: We 

experiment with different rate adaptation algorithms in 
the presence of random jammers. We also perform ex- 
periments with various transmission powers of jammers 
and powers/CCA thresholds of legitimate nodes. Our 
measurements encompass an exhaustive set of wireless 
links, routes of different lengths, as well as static and 
mobile jammers. We examine both SISO and MIMO 
links. We experiment with three modes of operation: 
802.11a/g/n (unless otherwise stated throughout this 
paper, our observations are consistent for all three modes 
of operation). The experiments are performed late at 
night in order to isolate the impact of the jammers by 
avoiding interference from co- located WLANs. By de- 
fault, all devices (legitimate nodes and jammers) set 
their transmission powers to 18 dBm. 

Implementing a random jammer: Our implemen- 
tation of a random jammer is based on a specific config- 
uration (CCA = dBm) and a user space utility that 



sends broadcast packets as fast as possible. For the pur- 
poses of research, we have implemented our own random 
jammer on an 802.11 legacy device, by setting the CCA 
threshold to dBm. By setting the CCA threshold to 
such a high value, we force the device to ignore all legit- 
imate 802.11 signals even after carrier sensing; packets 
arrive at the jammer's circuitry with powers less than 
dBm (even if the distances between the jammer and 
the legitimate transceivers are very small). An effective 
random jammer should be able to transmit packets on 
the medium, as fast as possible, during random active 
time intervals. We develop a user- space software utility 
with the following functionalities: 

• The jammer transmits broadcast UDP traffic. This 
ensures that its packets are transmitted back-to- 
back and that the jammer does not wait for any 
ACK messages (by default the backoff functionality 
is disabled in 802.11 for broadcast traffic); in other 
words, this set up allows the jamming node to de- 
fer its back-to-back transmissions for the minimum 
possible time (i.e. DIFS -\-minBackOff)- Our util- 
ity employs raw sockets, which allow the construc- 
tion of UDP packets from scratch and the forward- 
ing of each packet directly down to the hardwar^. 
Note that this implementation bypasses the 802.11 
protocol and hence, the jammer does not wait in 
the backoff state after each packet transmission. 

• Our utility schedules uniformly-distributed random 
jamming intervals. The jammer is in the active 
state for a random period of time, during which it 
constantly transmits packets back- to-back. It then 
transits to an idle (sleeping) state for a different, 
randomly chosen period of time during which it 
does not emit energy. The two states alternate and 
their durations are computed anew at the begin- 
ning of each cycle (a cycle consists of an active and 
an idle period). 

We use a set of 4 nodes as jammers on our testbed; 
these are equipped with Intel- 29 15 cards which allow 
CCA tuning. 

Traffic characteristics: We utilize the iperf mea- 
surement tool to generate UDP data traffic among le- 
gitimate nodes; the packet size is 1500 bytes. The du- 
ration of each experiment is 1 hour. For each exper- 
iment, we first enable iperf traffic between legitimate 
nodes, and subsequently, we activate the jammer(s). We 
consider both mesh and WLAN connectivity. We ex- 
periment with different jammer distributions, namely: 
(a) frequent jammers, which are active almost all of 
the time, (b) rare jammers, which spend most of their 
time sleeping, and (c) balanced jammers that have sim- 
ilar average jamming and sleeping times. We have dis- 
abled RTS/CTS message exchange throughout our ex- 
periments (a common design decision in practice [27]). 

^Administration privileges are required for this operation. 



4. DERIVING SYSTEM GUIDELINES 

In this section, we describe our experiments towards 
understanding the behavioral trends of power and rate 
adaptation techniques, in the presence of random jam- 
mer(s). Our goal is to determine if there are properties 
that can be exploited in order to alleviate jamming ef- 
fects. We perform experiments on both single- hop and 
multi-hop configurations. 

4.1 Rate Adaptation in Jamming Environments 

Rate adaptation algorithms are utilized to select an 
appropriate transmission rate as per the current channel 
conditions. As interference levels increase, lower data 
rates are dynamically chosen. Since legitimate nodes 
consider jammers as inter ferers, rate adaptation will re- 
duce the transmission rate on legitimate links while jam- 
mers are active. Hence, one could potentially argue that 
rate control on legitimate links increases reliability by 
reducing rate and thus, can provide throughput benefits 
in jamming environments. 

To examine the validity of this argument, we exper- 
iment with three different, popular rate adaptation al- 
gorithms, SampleRate [12j, AMRR [14J and Onoe lH]. 
These algorithms are already implemented on the Mad- 
Wifi driver that we use. For simplicity, we first consider 
a balanced jammer, which selects the sleep duration from 
a uniform distribution /7[1, 8] and the jamming duration 
from /7[1,5] (in seconds). 

Details on the experimental process: We per- 
form experiments with both single-hop and multi-hop 
configurations. For each experiment, we first load the 
particular rate-control Linux-kernel module (SampleR- 
ate, AMRR or Onoe) on the wireless cards of legitimate 
nodes. We initiate data traffic between the nodes and 
after a random time, we activate the jammer. We collect 
throughput measurements on each data link once every 
500 msec. We use the following terminology: 

1) Fixed transmission rate Rf. This is the nominal 
transmission rate configured on the wireless card. 

2) Saturated rate Rg: It is the rate achieved when Rf 
is chosen to be the rate on the wireless card. In order to 
compute Rs, for a given Rf, we consider links where the 
packet delivery ratio (PDRjl is 100 % for the particu- 
lar setting of Rf, we then measure the rate achieved in 
practice. We notice that for lower values of Rf, the spec- 
ified rate is actually achieved on such links. However, for 
higher values of Rf (as an example i?/ = 54 Mbps), the 
achieved data rate is much lower due to MAC layer over- 
heads, such as MAC layer retransmissions [28j. Table [T] 
contains a mapping, derived from measurements on our 
testbed, between Rf and Rg. 

3) Application data rate Ra'- This is the rate at which 
the application generates data. 

It is difficult (if not impossible) to a priori determine 
the best fixed rate on a link. Given this difficulty, we 

^We refer to the application layer packet delivery ratio, which 
includes the MAC layer retransmissions. 
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Table 1: The saturated-throughput matrix in 
Mbps. 

set Rf = {min Rf : Rf > Ra}^ which is the maximum 
rate that is required by the apphcation (we discuss the 
imphcations of this choice later). Our key observations 
are summarized below: 

• Rate adaptation algorithms perform poorly 
on high-quality links due to the long times 
that they incur for converging to the appro- 
priate high rate. 

• On lossless links, the fixed rate Rf is better, 
while rate adaptation is beneficial on lossy 
links. 

We defer defining what constitute lossless or lossy links 
to later; conceptually, we consider lossless links to be 
those links that can achieve higher long-term through- 
puts using a fixed transmission rate Rf , rather than by 
applying rate adaptation. 

4.1.1 Single -hop Configurations 

Our experiments with one-hop connectivity involve 80 
sets of sender-receiver pairs and one jammer per pair. 
We impose that a jammer interferes with one link at a 
time and that the legitimate data links do not interfere 
with each other. Thus, we perform 20 different sets of 
experiments, with 4 isolated data links and 4 jammers 
in each experiment. 

Rate adaptation consumes a significant part of 
the jammer's sleep time, to converge to the ap- 
propriate rate: As soon as the jammer "goes to sleep" , 
the link quality improves and thus, the rate control algo- 
rithm starts increasing the rate progressively. However, 
since the purpose of a jamming attack is to corrupt as 
many transmissions as possible, the jammer will typi- 
cally not sleep for a long time. In such a case, the sleep 
duration of the jammer will not be enough for the rate 
control to reach the highest rate possible. To illustrate 
this we choose two links on our testbed, one that can sup- 
port 12 Mbps and the other that can support 54 Mbps. 
Figure [2] depicts the results. We observe that (a) irre- 
spective of whether SampleRate or a fixed rate strategy 
is used, during jamming the throughput drops to values 
close to zero since the jammer blocks the medium for the 
sender, and (b) the throughput achieved with SampleR- 
ate is quite low, and much lower than if we fix the rate 
to the constant value of 12 Mbps. Note that we have 
observed the same behavior with AMRR and Onoe. 

Fixed rate assignment outperforms rate adap- 
tation on lossless links: As alluded to above, in order 
to find the best rate on a link after the impact of a jam- 
mer, the rate adaptation mechanisms gradually increase 
the rate, invoking transmissions at all the lower rates 
interim, until the best rate is reached. For links that 
can inherently support high rates, this process might 



consume the sleep period of the jammer (as suggested 
by the results in Figure [2]) . If the best rate for a link 
was known a priori, at the instance that the jammer 
goes to sleep, transmissions may be invoked at that rate. 
This would utilize the sleep period of the jammer more 
effectively. As observed in Figure [31 the throughputs 
achieved with fixed rate assignment are much higher 
than those achieved with rate adaptation on such links. 

Determining the right transmission rate policy: 

Implications of setting Rf = {min Rf : Rf > Ra}' 
Since the application does not require the link to sustain 
a higher rate, the highest throughput for that applica- 
tion rate is reached either with this choice of Rf or with 
some rate that is lower than Ra. If the rate adaptation 
algorithm converges to a rate that results in a through- 
put that is higher than with the chosen Rf^ then the 
adaptive rate strategy should be used. If instead, during 
the jammer's sleep period, the rate adaptation technique 
is unable to converge to such a rate, the fixed rate strat- 
egy is better. 

Analytically determining the right rate: In order to de- 
termine whether it is better to use a fixed or an adaptive- 
rate approach for a given link, we perform an analysis 
based on the following parameters: 

1. The distribution of the jammer's active and sleep 
periods (we call this the jammer ^s distribution). 

2. The application data rate, Ra. 

3. The performance metric on the considered legiti- 
mate link, i.e., PDR, link throughput, etc. 

4. The rate adaptation scheme that is employed, i.e., 
Onoe, SampleRate, etc. The key scheme-specific 
factor is the transition time from a lower rate to 
the next higher rate, under conducive conditions. 

5. The effectiveness of the jammer F, measured by 
the achievable throughput while the jammer is on. 
The lower the throughput, the more effective the 
jammer. 

Let us suppose that the expected sleeping duration of 
the jammer during a cycle, is given by E[ts] and the 
expected period for which it is active, by E[tj]. The ex- 
pected duration of a cycle is then E[ts] + E[tj]. As an 
example, if the jammer picks its sleeping period from a 
uniform distribution U[a^b] and its jamming period from 
U[c, d], E[ts] and E[tj] are equal to and ^i^, respec- 
tively. For simplicity let us assume that the link-quality 
metric employee^ is the PDR. With application data 
rate Ra and fixed transmission rate Rf^ the through- 
put achieved during a jammer's cycle is: 

E[ts] I -^fe] 

'f'^^' - E[t,] + E[t,] ' "^^""^ • + E[t,] + E[t,] ' 

(1) 

^Our analysis can be modified to adopt any other link-quality 
metric. 



Fixed rate 12Mbps - 
Sample rate 12Mbps - 




Fixed rate 54Mbps - 
Sample rate 54Mbps - 



Figure 2: Rate adaptation algorithms may not find the best rate 
during the sleep period of the jammer. We show cases for 2 
different links, one with Ra = 12 Mbps (left) and one with Ra = 54 
Mbps (right). 
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Figure 3: Fixed rates outper- 
form rate adaptation for high- 
quality links, under random jam- 
ming. {Ra = Rf) 



where PDRf is the PDR of the hnk at rate Rf. Recah 
that the rate achieved in practice with a specified rate 
Rf is Rs. 

To compute the throughput with rate adaptation^ we 
proceed as follows. Let us assume that x{F, Rs) corre- 
sponds to the convergence time of the rate adaptation 
algorithm (specific to the chosen algorithm). We con- 
sider the following two cases. 

1) x{F^Rs) < E[ts]. This case holds when the jam- 
mer's sleep duration is sufficient (on average) for the rate 
control algorithm to converge to the best rate Rs . In this 
scenario, the achievable throughput is: 



^ adapt 



[E[ts] - x{Rs)]-Rs + ^ yiRiYRi + E[tj] ■ F 

Ri 

where Ri e S being the set of all intermediate rates 
from F to Rs. y{Ri) is the time that the rate control al- 
gorithm spends at the corresponding rate Ri . The values 
of y{Ri) are specific to the implementation of the rate 
control algorithm. Note that x(F, Rs) can be easily com- 
puted from y{Ri) by adding all the individual durations 
for the rates belonging to the set S. 
2) cc(F, i^s) > E[ts]. In this scenario, the average sleep 
time of the jammer is insufficient for the rate control 
algorithm to converge to the desired rate. When the 
jammer wakes up, the rate will again drop to lower levels 
due to increased interference. Here, the throughput that 
can be achieved during a jammer's cycle is: 



Y,y{R^)■R^- 



^ adapt 



i=l 



■Rn+l + E[tj]-F 



Em+E[t,] 



where n = max{k : ^^^y{Ri) < E[ts] }. 

i=l 

Based on the above analysis, we define a link to be 
lossy, when Tfi^ed < Tadapt] the links on which Tfi^^d > 
Tadapt are classified as lossless links. Clearly for lossy 
links it is better to use the rate adaptation algorithm. 
The analysis can be used to compute PDRj^ ^ a thresh- 
old value of PDRf below which, a rate adaptation strat- 



egy performs better than the fixed rate approach. In 
particular, by setting Tfi^ed = Tadapt and solving this 
equation, one can compute PDRj^ . Based on this, a 
decision can be made on whether to enable rate adapta- 
tion or use fixed-rate assignment. If the observed PDR 
is larger than the computed threshold, fixed rate should 
be used; otherwise, rate adaptation should be used. 

Validation of our analysis: In order to validate 
our analysis, we measure PDRj^ on 80 different links 
in the presence of a balanced jammer. We then com- 
pare them against the PDRj^ values computed with 
our analysis. Note here that the analysis itself depends 
on measured values of certain quantities (such as the 
jammer distribution and the function y{Ri)). In this 
experiment, we consider the SampleRate algorithm, and 
measure the values of x(F, Rs) and y{Ri). The jammer's 
sleep time follows /7[0,4] and the jamming time follows 
/7[1, 6]. Figure [4] plots the values of function y for differ- 
ent values of Rf. 

In Table [21 we compare the theoretically computed 
PDR thresholds with the ones measured on our testbed, 
for various values of Rf. We observe that the PDRf 
thresholds computed with our analysis are very similar 
to the ones measured on our testbed. There are slight 
discrepancies since our analysis is based on using mea- 
sured average values which may change to some extent 
over time. We wish to stress that while we verify our 
analysis assuming that the jammer is active and idle for 
uniformly distributed periods of time, our analysis de- 
pends only on expected values and is therefore valid for 
other jammer distributions. Finally, Figure [5] shows the 
advantage of using a fixed rate approach over SampleR- 
ate for various PDR values and with Rf = 54 Mbps. We 
observe that SampleRate provides higher throughputs 
only for very low PDR values. 

Next, we consider two extreme cases of jamming: fre- 
quent and rare jammers (see section [3]). The distribu- 
tions that we use in our experiments for these jammers 
are shown in Table [3l Note that by choosing the jam- 
mer's sleeping and jamming time from distributions like 
the one of the frequent jammer, we essentially construct 
a constant jammer. With frequent jammers, the differ- 
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Table 2: PDRf thresholds 

ence in the performance between fixed rate assignment 
and rate adaptation is larger, while for a rare jammer 
it is smaller. This is because with rare jamming, rate 
adaptation will have more time to converge and there- 
fore often succeeds in achieving the highest rate possible; 
one observes the opposite effect when we have a frequent 
jammer. The results are plotted in Figures [6] and B 
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Table 3: The jamming distributions that we use 
in our experiments. 

4.1.2 Random Jamming in Multi-hop Topologies 

Next, we examine the impact of a random jammer on 
the end-to-end throughput of a multi-hop path. We ex- 
periment with 15 different routes on our testbed. We 
fix static routes of various lengths (from 2 to 4 links per 
route) utilizing the route Unix tool in order to modify 
the routing tables of nodes. We place a jammer such 
that it affects one or more links. Along each route, links 
that are not affected by the jammer consistently use a 
rate adaptation algorithm. On the links that are sub- 
ject to jamming, our analysis dictates the decision on 
whether to use fixed or adaptive rate assignment. We 
measure the end-to-end throughput on the route. We 
show our results for routes on which, in the absence of a 
jammer, end-to-end throughputs of 6 and 12 Mbps were 
observed. From Figure [8] we see that the behavior with 
rate adaptation on multi-hop routes, in the presence of 



a random jammer, is the same as that on a single-hop 
link. In particular, with low data rates, a sufficiently 
high PDR has to be sustained over the route, in order 
for a fixed rate approach to perform better than rate 
adaptation. On the other hand, when routes support 
high data rates, fixing the rate on the individual links 
(that are affected by the jammer) as per our analytical 
framework, provides higher benefits. 

Choosing the right policy in practice: To sum- 
marize our findings, our analysis demonstrates that us- 
ing a fixed rate may be attractive on lossless links while 
it would be better to use rate adaptation on lossy links. 
However, as discussed, determining when to use one 
over the other in real time during system operations 
is difficult; the determination requires the knowledge of 
x(F, i?s), y{Ri) and estimates of how often the jammer 
is active/ asleep, on average. Thus, we choose a simpler 
practical approach that we call MRC for Markovian Rate 
Control. We will describe MRC in detail later (in section 
[5j) but in a nutshell, MRC induces memory into the sys- 
tem and keeps track of the feasible rates during benign 
jamming- free periods; as soon as the jammer goes to 
sleep, legitimate transmissions are invoked at the most 
recent rate used during the previous sleeping cycle of the 
jammer. We also perform offline measurements by di- 
rectly using our analytical formulation (with knowledge 
of the aforementioned parameters); these measurements 
serve as benchmarks for evaluating the efficacy of MRC 
(discussed in section [6]). 

4.2 Performance of Power Control in the Pres- 
ence of Random Jamming 

Next, we examine whether tuning power levels can 
help cope with the interference injected by a jammer. 
If we consider a single legitimate data link and a jam- 
mer, incrementing the transmission power on the data 
link should increase the SINR (signal-to-interference plus 
noise ratio) of the received data packets. Thus, one could 
argue that increasing the transmission power is always 
beneficial in jamming environments [TSj. 

We vary the transmission powers of both the jammer 
and legitimate transceiver, as well as the CCA threshold 
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proves the performance more 
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for two different transmis- 
sion rates. 



of the latter. Note that the jammer's transmission dis- 
tribution is not very relevant in this part of our study. 
Our expectation is that tuning the power of legitimate 
transceivers will provide benefits while the jammer is 
active. In other words, one can expect that the 
benefits from power control will be similar with 
any type of jammer. We define the following: 

• RSSItr ' The RSSI of the signal of the legitimate 
transmitter at its receiver. 

• RSSIrT' The RSSI of the signal in the reverse 
direction (the receiver is now the transmitter). 

• RSSIjT and RSSIjr: The RSSI values of the 
jamming signal at the legitimate transmitter and 
receiver, respectively. 

• RSSIj: The minimum of {i?^5/jT, RSSIjr}. 

• Pl and CCAl: The transmission power and the 
CCA threshold at legitimate transceivers. 

• Pj: The transmission power of the jammer. 
Our main observations are the following: 

• Mitigating jamming effects by incrementing 
Pl is viable at low data rates. It is extremely 
difficult to overcome the jamming interfer- 
ence at high rates, simply with power adap- 
tation. 

• Increasing CCAl restores (in most cases) the 
isolated throughput (the throughput achieved 
in the absence of jammers). 

We present our experiments and the interpretations thereof, 
in what follows. 

4.2.1 Increasing Pl to cope with jamming interfer- 
ence 

Increasing Pl will increase the SINR and one might 
expect that this would reduce the impact of jamming 
interference on the throughput. In our experiments we 
quantify the gains from employing such a "brute-force" 
approach. 



Details on the experimental process: We perform 
measurements on 80 different links and with 4 jammers. 
We consider different fixed values for Pj (from 1 dBm 
to 18 dBm). For each of these values we vary Pl be- 
tween 1 and 18 dBm and observe the throughput in the 
presence of the jammer, for all possible fixed transmis- 
sion rates. For each chosen pair of values {Pl,Pj}, we 
run 60-minute repeated experiments and collect a new 
throughput measurement once every 0.5 seconds. Both 
end-nodes of a legitimate link use the same transmission 
power. 

The combination of high Pl and low data rate 
helps mitigate the impact of low-power jammers. 

We experiment with many different locations of the jam- 
mers. Our measurements indicate that when high trans- 
mission rates are used, increasing Pl does not help al- 
leviate the impact of jammers. Sample results are de- 
picted in Figure [9l In this figure, we plot the percentage 
of the isolated throughput achieved in the presence of 
jamming, for two representative combinations of Pl and 
Pj and for 2 different rates. In our experiments on the 
80 considered links, there were no links where increment- 
ing Pl increased the throughput at high data rates, even 
with very low jamming powers. While there could ex- 
ist cases where incrementing Pl could yield benefits at 
high rates, this was not observed. In contrast, we ob- 
serve that with low data rates and when Pj is low, data 
links can overcome jamming to a large extent by increas- 
ing Pl . Figure [10] depicts another representative subset 
of our measurement results where all legitimate nodes 
use Pl = 18 dBm, while Pj is varied between 1 and 18 
dBm. We observe that the combination of high Pl with 
low data rate helps overcome the impact of jamming, 
when Pj is low. Note also that when Pj is high, it is 
extremely difficult to achieve high average throughput. 

The above observations can be explained by taking a 
careful look at the following two cases: 

Strong jammer: Let us consider a jammer such that 
RSSI J > CCAl. This can result in two effects: (a) The 
sender will sense that the medium is constantly busy and 
will defer its packet transmissions for prolonged periods 
of time, (b) The signals of both the sender and the jam- 
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Figure 10: Percentage of the 
isolated throughput in the 
presence of a balanced jam- 
mer for various Pj and Pj 
values and data rates. 




Figure 11: Percentage of the 
isolated throughput in the 
presence of a balanced jam- 
mer Vs. RSSIj, for CCAl= 
-80 dBm. 




Figure 12: Percentage of the 
isolated throughput, for var- 
ious RSSIj values, and for 
CCAl = -50 dBm. 
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Figure 13: Percentage of the 
isolated throughput, for vari- 
ous CCAl values and various 
Pl values. Pj = 20 dBm. 
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Figure 14: Careful CCA 
adaptation significantly 
improves the end-to-end 
throughput along a route. 
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Figure 15: MRC outper- 
forms current rate adapta- 
tion algorithms, especially 
for high values of K. 



mer will arrive at the receiver with RSSI values higher 
than CCAl. This will result in a packet collision at 
the receiver. In both cases, the throughput is degraded. 
Our measurements show that it is not possible to miti- 
gate strong jammers simply by increasing Pl- 

Weak jammer: Let us suppose that the jammer's 
signals arrive with low RSSI at legitimate nodes. This 
may be either due to energy-conservation strategies im- 
plemented by the jammer causing it to use low Pj (e.g., 2 
dBm), or due to poor channel conditions between a jam- 
mer and a legitimate transceiver. At high transmission 
rates, the SINK required for the successful decoding of a 
packet is larger than what is required at low rates (shown 
in Tabled]) [llj. Our throughput measurements show 
that even in the presence of weak jammers, the SINR 
requirements at high transmission rates are typically not 
satisfied. However, since the SINR requirements at lower 
data rates are less stringent, the combination of high Pl 
and low rate, provides significant throughput benefits. 
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Table 4: SINR levels required for successful 
packet decoding, in 802.11a/g. 



4.2.2 Tuning CCAl on single-hop settings 

Next, we investigate the potential of adjusting CCAl 
in conjunction with Pl. 



Implementation and experimental details: For 

these experiments we exclusively use the Intel- 291 5 cdiids; 
these cards allow us to tune the CCA threshold. We have 
modified a prototype version of the AP/client driver, in 
order to periodically collect measurements for RSSItr, 
RSSIrt and RSSIj. We consider 80 AP-client data 
links, with traffic fiowing from the AP to the client. As 
before, we divide the 80 data links into 20 sets of 4 iso- 
lated links. We use Intel's proprietary rate adaptation 
algorithm, which has been implemented in the firmware 
of the Intel- 29 15 cards. We measure the achieved data 
throughput for different values of Pl and CCAl. Both 
nodes of a data link use the same power and CCA thresh- 
old values. 

Tuning the CCA threshold is a potential jam- 
ming mitigation technique. To begin with, we per- 
form throughput measurements with the default CCAl 
value (-80 dBm), and with various RSSIj values. We 
observe from FigurefTTlthat when RSSIj < CCAl^ data 
links achieve high throughputs. This is because signals 
with RSSI < CCAl are ignored by the transceiver's 
hardware. In particular, (a) such signals do not ren- 
der the medium busy, and (b) receivers are trying to 
latch onto signals with RSSI > CCAl, while other sig- 
nals are considered to be background noise. Moreover, 
even when RSSIj is slightly larger than CCAl, we still 
observe decent throughput achievements for the cases 
wherein data links operate at high SINR regimes. These 
measurements imply that the ability to tune CCAl can 



help receive data packets correctly, even while jammers 
are active. 

In order to further explore the potential of such an 
approach, we vary CCAl from -75 to -30 dBm on each 
of the considered 80 links. Figure [12] depicts the re- 
sults for the case where CCAl is equal to -50 dBm. We 
observe that increasing CCAl results in signifi- 
cantly higher data throughputs, even with quite 
high RSSIj values. More specifically, from Figure 
[12] we observe that when RSSIj is lower than CCAl^ 
links can achieve up to 95% of the throughput that is 
achieved when the link operates in isolation (jamming- 
free). When RSSIj ^ CCAl^ data links still achieve 
up to 70% of the jamming- free throughput (capture of 
data packets is still possible to a significant extent). As 
one might expect, if RSSIj ^ CCAl^ there are no per- 
formance benefits. 

Our observations also hold in some scenarios where, 
Pj > Pl' Figure [13] presents the results from one such 
scenario. We observe that appropriate CCA settings 
can allow legitimate nodes to exchange traffic effectively, 
even when Pj ^ Pl. This is possible if the link condi- 
tions between the jammer and the legitimate transceivers 
are poor and result in low RSSIj. Note here that one 
cannot increase CCAl to arbitrarily high values on le- 
gitimate nodes. Doing so is likely to compromise con- 
nectivity between nodes or degrade the throughput due 
to failure of capturing packets as seen in Figure [13] for 
Pl = hdBm and Pl = lOdBm. 

4.2.3 Tuning CCAl in multi-hop configurations 

We perform experiments with various CCA thresholds 
along a route. Previous studies have shown that in order 
to avoid starvation due to asymmetric links, the trans- 
mission power and the CCA threshold need to be jointly 
tuned for all nodes of the same connected (sub) network 
[11]. In particular, the product C = Pl - CCAl must 
be the same for all nodes. Given this, we ensure that 
C is the same for all nodes that are part of a route. In 
particular, we set Pl to be equal to the maximum pos- 
sible value of 20 dBm on all nodes of a route; for each 
run, CCAl is therefore set to be the same on all of the 
nodes on the route. Throughout our experiments with 
multi-hop traffic, nodes on one route do not interfere 
with nodes that are on other routes. In scenarios where 
nodes belonging to different routes interfere with each 
other, if all nodes use the same Pl, their CCAl values 
must be the same [TT], [29]. However, we did not ex- 
periment with such scenarios given that our objective is 
to isolate the impact of a jammer and not to examine 
interference between coexisting sessions in a network. 

We experiment with the same multi-hop settings as in 
sect ion l¥. 1.21 Figure [TH presents the results observed on 
one of our routes. We observe that careful CCA tuning 
can provide significant average end-to-end throughput 
benefits along a route. 

5. DESIGNING ARES 



In this section, we design our system ARES based on 
the observations from the previous section. ARES is 
composed of two main modules: (a) a rate module that 
decides between fixed or adaptive-rate assignment, and 
(b) a power control module that facilitates appropriate 
CCA tuning on legitimate nodes. 

Rate Module in ARES: As discussed in section l^?T| 
our experiments with three popular rate adaptation al- 
gorithms show that the convergence time of the algo- 
rithms affects the link performance in random-jamming 
environments. This convergence time is largely imple- 
mentation specific. As an example, our experiments with 
both SampleRate and Onoe show that in many cases it 
takes more than 10 sec for both algorithms to converge 
to the "best" rate; [30j reports similar observations. The 
rate module in ARES decides on whether a fixed or an 
adaptive-rate approach should be applied. 

MRC: Markovian Rate Control: MRC is an algorithm- 
patch that can be implemented on top of any rate con- 
trol algorithm. MRC is motivated by our analysis in 
section H] However, as discussed earlier, it does not di- 
rectly apply the analysis, since this would require exten- 
sive offline measurements (the collection of which can be 
time-consuming) and estimates of the jammer active and 
sleep periods. The key idea that drives MRC is that a 
rate adaptation algorithm need not examine the perfor- 
mance at all the transmission rates during the sleeping 
period of the jammer. The algorithm simply needs to re- 
member the previously used transmission rate, and use 
it as soon as the jammer goes to sleep. Simply put, 
MRC introduces memory into the system. The system 
keeps track of past transmission rates and hops to the 
stored highest-rate state as soon as the jammer goes to 
sleep. Since the channel conditions may also change due 
to the variability in the environment, MRC invokes the 
re-scanning of all rates periodically, once every K con- 
secutive sleeping/jamming cycles. When = 1 we do 
not expect to have any benefits, since the scanning takes 
place in each cycle. 

Note here that the appropriate value of K depends on 
the environment and the sleep and active periods of the 
jammer. One could adaptively tune the K value. As an 
example, an additive increase additive decrease strategy 
may be used where one would increase the value of K 
until a degradation is seen. The K value would then 
be decreased. The implementation of such a strategy is 
beyond the scope of this paper and will be considered in 
the future. 

Implementation details of MRC: The implementation 

(a) keeps track of the highest transmission rate used over 
a benign time period (when the jammer is asleep) and, 

(b) applies this rate immediately upon the detection of 
the next transition from the jammer's active period to 
the sleeping period. 

Figure [T5] presents a set of measurements with MRC, 
with intermittent SampleRate invocations (once every K 
cycles) for K = {3,30}. We observe that MRC outper- 
forms pure SampleRate in jamming environments, es- 



pecially with larger values of K. With small the 
rate adaptation algorithm is invoked often and this re- 
duces the achieved benefits. Furthermore, MRC pro- 
vides throughput that is close to the maximum achiev- 
able on the link (which may be either with fixed or adap- 
tive rate, depending on whether the link is lossy or loss- 
less). 

Power Control Module in ARES: As discussed in 
section 1421 increasing Pl is beneficial at low rates; while 
at high rates this is not particularly useful, it does not 
hurt either. Since our goal in this paper is to propose 
methods for overcoming the effects of jamming (and not 
legitimate) interference, we impose the use of the maxi- 
mum Pl by all nodes in the presence of jammers. The 
design of a power control mechanism that in addition 
takes into account the imposed legitimate interference 
(due to high Pl) is beyond the scope of this paper. 

More significantly, our power control module over- 
comes jamming interference by adapt ively tuning CCAl- 
The module requires the following inputs on each link: 

• The values of RSSItr, RSSIrt, RSSIjr, and 
RSSIjT' These values can be easily observed in 
real time. 

• An estimation for the shadow fading variation of 
the channel, A. Due to shadow fading, the above 
RSSI values can occasionally vary by A. The value 
of A is dependent on the environment of deploy- 
ment. One can perform offline measurements and 
configure the value of A in ARES. 

We determine the variations in RSSI measurements via 
experiments on a large set of links. The measurements 
indicate that A is approximately 5 dB for our testbed 
(a less conservative value than what is reported in [31j). 
The value of CCAl has to be at least A dB lower than 
both RSSItr and RSSIrt^ to guarantee connectivity 
at all times. Hence, ARES sets: 

CCAl = min{RSSlTR, RSSIrt) - A, if 

max{RSSIjT,RSSIjR)<min{RSSlTR,RSSlRT) - A. 

Otherwise, CCAl is not changecH. This ensures that le- 
gitimate nodes are always connected, while the jammer's 
signal is ignored to the extent possible. Our experiments 
indicate that, especially if 

max{RSSIjT,RSSIjR)<min{RSSlTR,RSSlRT) - 2A, 

the data link can operate as if it is jamming- free. 

In order to avoid starvation effects, the tuning of the 
CCA threshold should be performed only when nodes 
that participate in power control belong to the same 
network [29j. Unless collocated networks cooperate in 
jointly tuning their CCA (as per our scheme), our power 
control module will not be used. Note that when jam- 
ming attacks become more prevalent, cooperation be- 
tween coexisting networks may be essential in order to 

^We choose not to tune CCAl, unless we are certain that it 
can help alleviate jamming interference. 



fight the attackers. Hence, in such cases collocated net- 
works can have an agreement to jointly increase the CCA 
thresholds when there is a jammer. 

Implementation details: Our power control algo- 
rithm can be applied in a centralized manner by having 
all legitimate nodes report the required RSSI values to a 
central server. The central server then applies the same 
CCAl value to all nodes (of the same connected net- 
work). The chosen CCAl is the highest possible CCA 
threshold that guarantees connectivity between legiti- 
mate nodes. This reporting requires trivial modifications 
on the wireless drivers. We have implemented a central- 
ized functionality when our network is configured as a 
multi-hop wireless mesh. 

In a distributed setting, our algorithm is applicable 
as long as legitimate nodes are able to exchange RSSI 
information. Each node can then independently deter- 
mine the CCAl value. To demonstrate its viability, we 
implement and test a distributed version of the power 
control module in a 802.11a/g WLAN configuration. In 
particular, we modify the Intel prototype AP driver, by 
adding an extra field in the "Beacon" template. This 
new field contains a matrix of RSSI values of neighboring 
jammers and legitimate nodes. We enable the decoding 
of received beacons in the AP driver (they do not read 
these by default). Assuming that a jammer imposes al- 
most the same amount of interference on all devices (AP 
and clients) within a cell, the AP of the cell determines 
the final CCAl after a series of iterations in a manner 
very similar to the approaches in [29], [TT]. 

Combining the modules to form ARES: We com- 
bine our rate and power control modules to construct 
ARES as shown in Figure [161 ARES also includes a 
jamming detection functionality. Towards this we in- 
corporate a mechanism that was proposed in [15]; this 
functionality performs a consistency check between the 
instantaneous PDR and RSSI values. If the PDR is ex- 
tremely low while the RSSI is much higher than the de- 
fault CCAl^ the node is considered to be jammed. 

The goal of ARES is to detect jammers and apply the 
individual modules as appropriate. ARES applies the 
power control module first, since with this module, the 
impact of the jammer (s) could be completely overcome. 
If the receiver is able to capture and decode all packets 
in spite of the jammer's transmissions, no further ac- 
tions are required. Note that even if CCAl > RSSIj, 
the jammer can still affect the link performance. This 
is because with CCA tuning the jamming signal's power 
is added to the noise power. Hence, even though the 
throughput may increase, the link may not achieve the 
"jamming- free performance" while the jammer is active. 
If the jammer still has an effect on the network per- 
formance after tuning CCAl^ (or if CCA tuning is in- 
feasible due to the presence of collocated uncooperative 
networks) ARES enables the rate module. Note that the 
two modules can operate independently and the system 
can bypass any of them in case the hardware/software 
does not support the specific functionality. 
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Figure 16: ARES: our Ant i- jamming Reinforcement System. 



6. EVALUATING OUR SYSTEM 

We first evaluate ARES by examining its performance 
in three different networks: a MIMO-based WLAN, a 
mesh network in the presence of mobile-jammers, and 
an 802.11a WLAN setting where uplink TCP traffic is 
considered. 

ARES boosts the throughput of our MIMO 
WLAN under jamming by as much as 100%: Our 

objective here is twofold. First, we seek to observe and 
understand the behavior of MIMO networks in the pres- 
ence of jamming. Second, we wish to measure the ef- 
fectiveness of ARES in such settings. Towards this, we 
deploy a set of 7 nodes equipped with Ralink RT2860 
miniPCI cards. 

Experimental set-up: We examine the case for a 
WLAN setting, since the RT2860 driver does not cur- 
rently support the ad-hoc mode of operations. MIMO 
links with Space-Time Block Codes (STBC) are expected 
to provide robustness to signal variations, thereby re- 
ducing the average SINR that is required for achieving 
a desired bit error rate, as compared to a corresponding 
SISO (Single-Input Single-output) link. We modify the 
client driver of the cards to enable 2x2 STBC support. 
This involves adding the line 

{"HtStbc" , Set_HtStbc_Proc} 

into the RTMP_PRIVATE.SUPPORT.PROC stTuct ar- 
ray, located in os/linux/sta_ioctl . c in the driver. We 
consider 2 APs, with 2 and 3 clients each, and two jam- 
mers. Fully-saturated downlink UDP traffic flows from 
each AP to its clients. 

Applying ARES on a MIMO-based WLAN: We 
first run experiments without enabling ARES. Interest- 
ingly, we observe that in spite of the fact that STBC 
is used, 802.1 In links present the same vulnerabilities 
as 802.11a or g links. In other words, MIMO does not 
offer significant benefits by itself, in the presence of a 
jammer. This is due to the fact that 802.1 In is still 
employing CSMA/CA and as a result the jamming sig- 
nals can render the medium busy for a MIMO node as 
well. Moreover, for STBC codes to work effectively and 
provide a reduction in the SINR for a desired bit er- 
ror rate (BER), the signals received on the two antenna 
elements will have to experience independent multipath 
fading effects. In other words, a line of sight or dominant 
path must be absent. However, in our indoor testbed. 



given the proximity of the communicating transceiver 
pair, this may not be the case. Thus, little diversity 
is achieved [32 and does not suffice in coping with the 
jamming effects. 

Next, we apply ARES and observe the behavior. The 
path that ARES follows (in Figure [T6|) isl^5^7^ 
8^9. Since the CCA threshold is not tunable with 
the RT2860 cards, ARES derives decisions with regards 
to rate control only. Figure [iTl depicts the results. We 
observe that the configuration with ARES outperforms 
the rate adaptation scheme that is implemented on the 
RT2860 cards in the presence of the jammer, by as much 
as 100%. Note that higher gains would be possible, if 
ARES was able to invoke the power control module. 

In Figure [T3 we also compare the throughput with 
MRC against the suggested settings with our analysis 
(these settings allow us to obtain benchmark measure- 
ments possible with global information). The param- 
eters input to the analysis are the following: (a) The 
jammer is balanced with a jamming distribution /7[1, 5] 
and a sleep distribution /7[1,6]. (b) We examine 4 Ra 
values: 13.5, 27, 40.5, 54 Mbps. (c) F = Mbps. (d) 
We input estimates of the y{Ri) values which are ob- 
tained via comprehensive offline measurements, (e) The 
offline measured PDRf. We observe that the perfor- 
mance with MRC is quite close to our benchmark mea- 
surements. These results show that in spite of having 
no information with regards to the jammer distribution 
or the convergence times of the rate adaptation algo- 
rithms, MRC is able to significantly help in the presence 
of a random jammer. 

ARES increases the hnk throughput by up to 
150% in a mesh deployment with mobile jam- 
mers: Next, we apply ARES in an 802.11a/g mesh net- 
work with mobile random jammers. We also consider 
a frequent jammer (jamming distribution /7[1,20] and 
sleeping distribution /7[0, 1]). The jammer moves to- 
wards the vicinity of the legitimate nodes, remains there 
for k seconds, and subsequently moves away. For the 
mobile jammer we used a laptop, equipped with one of 
our Intel cards, and carried it around. The power control 
module is implemented in a centralized manner. ARES 
increases CCAl in order to overcome the effects of jam- 
ming interference, to the extent possible. In this case, 
due to the aggressiveness of the considered jammer (pro- 
longed jamming duration), the rate adaptation module 
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Figure 17: ARES 
provides significant 
throughput benefits 
in a MIMO network 
in the presence of 
jammers. 
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Figure 18: ARES 
provides significant 
throughput improve- 
ment in mobile- 
jamming scenarios. 
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Figure 19: ARES im- 
proves the chent-AP 
link throughput by 
130% with TCP traf- 
fic scenarios. 
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Figure 20: MRC im- 
proves the through- 
put of neighbor legiti- 
mate devices, as com- 
pared to SampleRate. 



does not provide any benefits (since rate control helps 
only when the jammer is sleeping). In this scenario, 
ARES follows the path: 1^2^3^4^6^7^ 
8^9. Figure [TSl depicts throughput-time traces, with 
and without ARES, for an arbitrarily chosen link and 
k ~ 200. The use of ARES tremendously increases the 
link throughput during the jamming period (by as much 
as 150 %). We have observed the same behavior with a 
distributed implementation of the power control module 
in an 802.11a WLAN setting. 

ARES improves the total AP throughput by up 
to 130% with TCP traffic: Next, we apply ARES on 
a 802.11a WLAN. For this experiment, we use nodes 
equipped with the Intel- 29 15 cards. We consider a set- 
ting with 1 AP and 2 clients, where clients can sense 
each others' transmissions. We place a balanced jammer 
(jamming distribution /7[1,5] and sleeping [/[I, 8]) such 
that all 3 legitimate nodes can sense its presence. We en- 
able fully-saturated uplink TCP traffic from all clients to 
the AP (using iperf) and we measure the total through- 
put at the AP, once every 0.5 sec. In this scenario, ARES 
follows the path: 1^2^3^4^6^7^8^9. 
From Figure [191 we observe that the total AP through- 
put is improved by up to 130% during the periods that the 
jammer is active. The benefits are less apparent when 
the jammer is sleeping because TCP's own congestion 
control algorithm is unable to fully exploit the advan- 
tages offered by the fixed rate strategy. 

Applying MRC on an AP improves the through- 
put of neighbor APs by as much as 23%: With 
MRC, a jammed node utilizes the lowest rate (when 
the jammer is active) and highest rate (when the jam- 
mer is sleeping) that provide the maximum long-term 
throughput. With this, the jammed node avoids exam- 
ining the intermediate rates and, as we showed above, 
this increases the link throughput. We now examine how 
this rate adaptation strategy affects the performance of 
neighbor legitimate nodes. We perform experiments on a 
topology consisting of 4 APs and 8 clients, with 2 clients 
associated with each AP, all set to 802.11a mode. A bal- 
anced jammer with a jamming distribution t/[l,5] and 
a sleep distribution t/[l,6] is placed such that affects 



only one of the APs. Only the affected AP is running 
MRC; the rest of the APs use SampleRate. We activate 
different numbers of APs at a time, and we enable fully- 
saturated downlink traffic from the APs to their clients. 
Figure [2Ql depicts the average total AP throughput. In- 
terestingly, we observe that the use of MRC on jammed 
links improves the performance of neighbor APs that are 
not even affected by the jammer. This is because the 
jammed AP does not send any packets using intermedi- 
ate bit rates (such as with the default operation of rate 
adaptation algorithms). Since MRC avoids the trans- 
mission of packets at lower (that the highest sustained) 
bit rates, the jammed AP does not occupy the medium 
for as prolonged periods as with the default rate con- 
trol techniques; the transmission of packets at the high 
rate (while the jammer is asleep) takes less time. Hence, 
this provides more opportunities for neighbor APs to 
access the medium, thereby increasing the AP through- 
put. Specifically, we observe that the throughput of one 
neighbor AP is improved by 23% (when the topology 
consists of only 2 APs, one of which is jammed). As we 
further increase the number of neighbor APs, the ben- 
efits due to MRC are less pronounced, due to increased 
contention (Figure [2Q|) . We elaborate of the efficacy of 
MRC in the following section. 

ARES converges relatively quickly: Finally, we 
perform experiments to assess how quickly the distributed 
form of ARES converges to a rate and power control 
setting. In a nutshell, our implementation has demon- 
strated that the network- wide convergence time of ARES 
is relatively small. With MRC, the rate control module 
can very rapidly make a decision with regards to the rate 
setting; as soon as the jammer is detected, MRC applies 
the appropriate stored lowest and highest rates. 

With regards to the convergence of the power control 
module, recall that our implementation involves the dis- 
semination of the computed CCA value through the pe- 
riodic transmission of beacon frames (one beacon frame 
per 100 msec is transmitted with our ipw2200 driver) 
p9j . As one might expect, the jammer's signal may col- 
lide with beacon frames, and this makes it more difficult 
for the power control module to converge. Note also 



that as reported in [29l [33], beacon transmissions are 
not always timely, especially in conditions of high load 
and poor-quality links (such as in jamming scenarios). 
We measure the network- wide convergence time, i.e., the 
time elapsed from the moment that we activate the jam- 
mer until all legitimate devices have adjusted their CCA 
threshold as per our power control scheme. First, we 
perform measurements on a multi-hop mesh topology 
consisting of 5 APs and 10 clients (2 clients per AP, all 
equipped with the Intel 2915 cards). In order to have an 
idea about whether the observed convergence time is sig- 
nificant, we also perform experiments without jammers, 
wherein we manually invoke the power control module 
through a user-level socket interface on one of the APs. 
We observe that the convergence time for the specific 
setting is approximately 1.2 sec. Then, we activate a 
deceptive jammer in a close proximity to 2 neighbor APs 
(MRC is disabled; the jammer affects only the 2 APs). 
Table [5] contains various average convergence times for 
the specific setting and for different Pj values. 



Pj (dB) 


Convergence time (sec) 


1 


1.8 


2 


2.4 


3 


2.8 


4 


3.5 



Table 5: Average convergence times (in sec) for 
different Pj values. 

We observe that even though the convergence time in- 
creases due to jamming, it still remains rather short. 
Furthermore, we perform extensive experiments with 8 
APs, 19 clients and 4 balanced jammers with Pj = 3 
dBm, all uniformly deployed. We observe that in its 
distributed form the power control module converges in 
approximately 16 sec in our network- wide experiments. 
Although one may expect different (lower or higher) con- 
vergence times with different hardware /software and/or 
mobile jammers, these results show that in a static topol- 
ogy the power control module converges relatively quickly. 

7. SCOPE OF ARES 

From our evaluations, it is evident that ARES can pro- 
vide performance benefits in the presence of jamming, 
even with other wireless technologies, and both in static 
and dynamically changing environments. In this section, 
we discuss some design choices and the applicability re- 
quirements of ARES. 

ARES does not require additional complicated 
hardware or software functionalities: The two mod- 
ules that constitute ARES are relatively easy to im- 
plement in the driver /firmware of commodity wireless 
cards, and do not require any hardware changes. The 
only software modification needed in the firmware in- 
volves the CCA tuning functionality. Specifically, it should 
be possible to change the CCA threshold as per the 
commands sent through a driver-firmware socket inter- 
face. To facilitate a distributed WLAN implementation 
of ARES, the AP driver needs to be modified to read the 
new Beacon template from the Beacons received from 



neighbor co-channel APs. Finally, clients need to apply 
the power and CCA settings determined by their affili- 
ated AP. 

On the effectiveness of MRC: Our analysis pro- 
vided in section [H is an accurate tool that decides be- 
tween the use of a fixed rate or a rate adaptation strat- 
egy. However, applying the analysis in a real system 
is quite challenging, for various reasons. In particular, 
as discussed earlier the analysis requires a set of inputs 
which may not be readily available. If the analysis were 
to be applied in real time, ARES would need to observe 
these values on the fiy and invoke the rate module when- 
ever significant, non-temporal changes are observed. It 
is also difficult to derive the jammer's distribution accu- 
rately and quickly. Such requirements make the appli- 
cation of the analysis somewhat infeasible in real-time 
systems. Furthermore, the analysis can account for the 
presence of one jammer only. In scenarios with multi- 
ple jammers, it cannot decide between fixed or adaptive 
rate. 

In contrast, our more practical scheme MRC does not 
need any inputs. It can operate efficiently even with 
multiple jammers. Note that MRC in its current form 
takes into account the tim^ that has elapsed since the 
last time that rate control was invoked. The policy is to 
invoke the rate adaptation strategy after periodic inter- 
vals. The optimal rate at which rate adaptation should 
be invoked depends on the temporal variability of the 
channel. In particular, to perform this optimally, ARES 
would need to measure (or estimate) the coherence time 
r of the channel (time for which the channel remains 
unchanged [34]) and invoke the rate control algorithm 
every r sees. While this is not possible with current 
802.11 hardware, it may be possible in the future [34] , 
Alternatively ARES could employ a learning strategy as 
discussed in Section [5l Enhancing the rate control mod- 
ule to address these issues is in our future plans. 

ARES with reactive and constant jammers: For 
the most part in this work we considered various types of 
random jammers. With constant jammers, rate adapta- 
tion is not expected to provide benefits, since the contin- 
uous jamming interference does not allow the use of high 
rates. Nevertheless, rate control (even as a standalone 
module) is expected to provide benefits in the presence 
of reactive jamming. In particular, let us consider a 
link consisting of legitimate nodes A and B. The reac- 
tive jammer J needs to sense the ongoing transmission 
and quickly transmit its jamming signal. If we denote 
by t flights the fiight time of the legitimate packet and 
with t sense the time needed for J to sense this packet, 
then the probability of succesful packet corruptiorjl can 



^In its current form, this time is in terms of the number 
of jamming cycles; this can be easily modified to use more 
generic time units. 

^We assume an optimal reactive jammer, i.e., one which is 
able to jam at the exact time instance when it senses a legiti- 
mate packet (best case scenario for the adversary). In reality, 
this will not be the case. 



be calculated as: Pjam = P(t sense < ^ flight)- Assum- 
ing that tsensing IS Uniformly distributed at the interval 
[0,DIFS$we get: 



^flight 



I 



1 



DIFS 



dt 



t flight _ #hytes / packet 



DIFS 



rate ■ DIFS 



(2) 

From Eq. [2] it is clear that through the use of high 
bit rates and/or reduced packet sizes the probability of 
succesful reactive jamming can be decreased. However, 
there is a tradeoff between successful reception and de- 
creased jamming probability that needs to be examined 
more carefully. Finally, the power control module of 
ARES, can be useful in the presence of both constant (as 
shown in the previous section) and reactive jamming. 

8. CONCLUSIONS 

We design, implement and evaluate ARES, an anti- 
jamming system for 802.11 networks. ARES has been 
built based on observations from extensive measurements 
on an indoor testbed in the presence of random jammers, 
and is primarily composed of two modules. The power 
control module tunes the CCA thresholds in order to al- 
low the transmission and capture of legitimate packets 
in the presence of the jammer's signals, to the extent 
possible. The rate control module decides between fixed 
or adaptive-rate assignment. We demonstrate the effec- 
tiveness of ARES in three different deployments (a) a 
802. lln based MIMO WLAN, (b) a mesh network in- 
fested with mobile jammers, and (c) a 802.11a WLAN 
with uplink TCP traffic. ARES can be used in con- 
junction with other jamming mitigation techniques (such 
as frequency hopping or directional antennas). Overall, 
the application of ARES leads to significant performance 
benefits in jamming environments. 
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